From owner-freebsd-net@FreeBSD.ORG Sun Nov 18 07:13:23 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3E3E516A417 for ; Sun, 18 Nov 2007 07:13:23 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outW.internet-mail-service.net (outW.internet-mail-service.net [216.240.47.246]) by mx1.freebsd.org (Postfix) with ESMTP id 062C413C44B for ; Sun, 18 Nov 2007 07:13:22 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Sat, 17 Nov 2007 23:04:48 -0800 X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 2BEBF12A312 for ; Sat, 17 Nov 2007 20:37:00 -0800 (PST) Message-ID: <473FC16F.9030107@elischer.org> Date: Sat, 17 Nov 2007 20:37:03 -0800 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: freebsd-net@freebsd.org References: <20071118001536.GG43532@hal.rescomp.berkeley.edu> In-Reply-To: <20071118001536.GG43532@hal.rescomp.berkeley.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: ipfw and netgraph confusion X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 18 Nov 2007 07:13:23 -0000 Christopher Cowart wrote: > Hello, > > I'm trying to use the ng_nat node on 6.2. > > I have one set of IP -> ng cookie mappings in tables and a single > default mapping for anything that doesn't match the tables. > > The first case, using tables, is the "Authenticated" case: > | /sbin/ipfw add netgraph tablearg all from "table(4)" to any in via \ > | vlan88 > | 01040 netgraph tablearg ip from table(4) to any in via vlan88 > | /sbin/ipfw add netgraph tablearg all from any to "table(3)" in via \ > | vlan665 > | 01060 netgraph tablearg ip from any to table(3) in via vlan665 > | /sbin/ipfw table 4 list > | 10.8.62.255/32 200065132 > | /sbin/ipfw table 3 list > | 169.229.65.132/32 100065132 > > This case works great. I inserted some count log rules an see that the > src and dst IP addresses are being altered as I would expect. > > When I fall back to the default case for "Unauthenticated" users: > | /sbin/ipfw add netgraph 100079145 all from 10.8.0.0/18 to any in \ > | via vlan88 > | 01230 netgraph 5673 ip from 10.8.0.0/18 to any in via vlan88 > | /sbin/ipfw add netgraph 200079145 all from any to 169.229.79.145 > | 01240 netgraph 63273 ip from any to 169.229.79.145 > > Notice the netgraph cookies here are 100079145 and 200079145. These are > the same values I used with ng_ctl. The resulting ipfw rules say the > cookies are 5673 and 63273. After matching the netgraph rules in this > case, the src and dst IP addresses are logged unchanged. This leads me > to believe ipfw sent them to non-existant nodes. The behavior I'm > witnessing indicates that indeed, these packets have not been NATed. > > Troubleshooting a bit, I noticed that if I change the constant numbers > to 10 and 20, things work exactly as expected. I'm going to venture a > guess that when a netgraph cookie is parsed on the commandline, it's > interpreted as a 16-bit int, but when you're using tableargs, 32-bit > ints work. This inconsistent behavior is a bit confusing (and led me to > a couple hours of frustrated debugging). Anyone else aware of this > problem? Should I file a PR? > I'm not sure about netgraph cookies. but a lot of the cookies in ipfw are 16 bits. e.g. divert cookies. I don't know much about the ipfw netgraph command as I've never used it.. > Thanks, >